Sri Lanka: fintech & payments regulation

Regulated

CBK-regulated fintech under PSS Act; e-money, MVTS, and payment switches licensed

Lead regulator:
Central Bank of Sri Lanka
Key law:
Payment and Settlement Systems Act No. 40 of 2005
Last updated:
2026-07-12

The Central Bank of Sri Lanka (CBK) is the primary regulator for fintech and payment activities under the Payment and Settlement Systems Act No. 40 of 2005. The CBK mandates licensing for mobile e-money operators, Money or Value Transfer Service Providers (MVTS), and payment service providers operating mobile applications. The regulatory framework emphasizes strict security standards, transaction limits, and interoperability through national standards like LANKAQR.

The CBK actively manages the payment ecosystem by setting transaction caps, fee ceilings, and operational guidelines for switches such as CEFTS, SLIPS, and the Common ATM Switch. Recent regulatory updates have focused on enhancing security for mobile payments, standardizing QR code usage, and establishing capital requirements for MVTS providers to ensure financial stability and consumer protection.

Who regulates

  • Central Bank of Sri Lanka

    Primary supervisor for payment systems, e-money, and MVTS

    [1][2][3]
  • Securities and Exchange Commission of Sri Lanka

    Regulator for securities markets, investment advisors, and investment managers

    [4][5]

Core laws & rules

  • Payment and Settlement Systems Act No. 40 of 2005 (2005)

    Establishes the legal framework for payment and settlement systems, empowering the CBK to regulate payment service providers, e-money, and MVTS.

    [6][1]
  • Securities and Exchange Commission of Sri Lanka Act No. 19 of 2021 (2021)

    Establishes the SEC as the primary regulator for securities markets, licensing exchanges, investment managers, and advisors.

    [4]

Licensing & registration

  • Mobile E-Money

    Licensed Finance Companies may operate e-money services through licensed service providers, subject to strict limits on stored value and transaction caps.

    [7][8]
  • Money or Value Transfer Service Providers (MVTS)

    Providers must obtain a Certificate of Registration from the CBK. Amendments in 2025 established a minimum capital requirement. Capital: Rs. 15 million

    [9][1]
  • Payment Service Providers (Mobile Apps)

    Entities operating mobile payment applications must adhere to minimum compliance standards for security, including multi-factor authentication and data encryption.

    [3][10]

Restrictions & warnings

  • Transaction limits are strictly enforced: JustPay max Rs. 150,000; CEFTS standard max Rs. 5 million; LANKAQR max Rs. 500,000. E-money stored value caps are Rs. 150,000 (enhanced KYC) and Rs. 20,000 (basic).

    [11][12][13][8]
  • Mobile payment apps must implement One-Time Password (OTP) verification sent to the registered mobile number for JustPay transactions.

    [3]
  • LANKAQR transactions prohibit charging customers for transactions, though merchants may pay a Merchant Discount Rate capped at 1%.

    [13]

Direction of travel

  • The CBK continues to standardize and promote digital payments through LANKAQR and JustPay, with recent updates focusing on technical specifications and fee structures to enhance interoperability and security.

    [2][11]
  • Regulatory focus remains on strengthening capital requirements for MVTS and ensuring robust security protocols for mobile payment applications to mitigate fraud and operational risks.

    [9][3]

Email alerts for Sri Lanka updates

New circulars, rules and guidance — a digest in your inbox, same day.

This guide is compiled automatically from 13 primary-source documents published by Sri Lanka's regulators, reviewed by RegAlert, and refreshed monthly (last updated 2026-07-12). It is not legal advice — always confirm requirements with the regulator or local counsel before acting.